Yesterday was Patch Tuesday, the day that Microsoft releases a round of updates to patch security vulnerabilities in various products. The good news is that this month's bunch of updates fixed a total of 115 vulnerabilities. The bad news is that it didn't fix a critical one impacting Windows 10 users that was mistakenly disclosed on the same day. That vulnerability has been named 'EternalDarkness' and 'SMBGhost' by various security vendors, both names being particularly descriptive. This 'wormable' flaw affects the Server Message Block (SMB) network communications protocol. Use wormable and SMB in the same breath, and they are usually followed by EternalBlue, the exploit developed by the National Security Agency (NSA) that was used in the 2017 WannaCry attacks. Why SMBGhost? The Malware Hunter Team on Twitter was among the first to spot the vulnerability disclosure, an exposure that was made by mistake and quickly removed. Seeing as people believed the vulnerability existed, but nobody could actually see it, it was dubbed SMBGhost. Naming conventions apart, then, just how serious is this security issue?
I recently reported how hackers were targeting Windows 10 users who had newly updated their computers. I also reported on a Windows 10 ransomware threat that is hiding in plain sight. I mention both as updating your Windows 10 machines with the latest Patch Tuesday security updates isn't going to help prevent an exploit of this new vulnerability, which is now effectively also hiding in plain sight.
What is CVE-2020-0796?
It appears that CVE-2020-0796 was thought by some vendors to be included in the Patch Tuesday updates, and they accidentally published details of it in their update round-up blog. Being the internet, even though that disclosure was removed relatively quickly, details of the vulnerability and how it could be exploited soon spread across information security social media feeds.
The vulnerability in the SMB 3.0 network communication protocol, if successfully exploited by an attacker, could enable remote and arbitrary code execution and potentially take control of the system. One of the now-deleted security vendor blogs that accidentally leaked the disclosure said that CVE-2020-0796 exploitation was "wormable." This means that an attacker could move from victim to victim a similar way that the EternalBlue SMB exploit enabled WannaCry to spread so quickly.